Closed Bug 594760 Opened 9 years ago Closed 9 years ago

activeContent in nsEventStateManager::PostHandleEvent looks unsafe

Categories

(Core :: DOM: Events, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- needed
status1.9.2 --- .11-fixed
blocking1.9.1 --- needed
status1.9.1 --- .14-fixed

People

(Reporter: smaug, Assigned: smaug)

Details

(Whiteboard: [sg:critical?][critsmash:patch])

Attachments

(1 file)

Attached patch patchSplinter Review
The variable is nsIContent*, but scripts may run before it is used.

I don't have a testcase, but based on code this might lead to crash when
using image maps and deleting the image element when it gets focus.
Or something like that.
Attachment #473527 - Flags: review?(roc)
Attachment #473527 - Flags: approval2.0?
Attachment #473527 - Flags: approval1.9.2.10?
Attachment #473527 - Flags: approval1.9.1.13?
Attachment #473527 - Flags: review?(roc)
Attachment #473527 - Flags: review+
Attachment #473527 - Flags: approval2.0?
Attachment #473527 - Flags: approval2.0+
Whiteboard: [sg:critical?][critsmash:patch]
Assignee: nobody → Olli.Pettay
Comment on attachment 473527 [details] [diff] [review]
patch

Approved for 1.9.2.11 and 1.9.1.14, a=dveditz
Attachment #473527 - Flags: approval1.9.2.11?
Attachment #473527 - Flags: approval1.9.2.11+
Attachment #473527 - Flags: approval1.9.1.14?
Attachment #473527 - Flags: approval1.9.1.14+
blocking1.9.1: --- → needed
blocking1.9.2: --- → needed
Group: core-security
You need to log in before you can comment on or make changes to this bug.